Specifying a dynamic authorization header for a REST API datastore
When you configure an Open ID Connect identity provider (IdP) connection with an application, you can use the access token from the connection as a bearer token in an authorization header to receive additional information as needed.
Before you begin
-
Create a Service Provider Open ID Connect IdP connection.
-
Configure an Identity Provider authentication policy for the connection.
Steps
-
Make the Open ID Connect call to the application to obtain the access token that you plan to use as a bearer token.
After you’ve made the connection, you can find the access token attribute name in
<pf_install>/pingfederate/log/server.log
in debug mode. -
On the Configure Data Source Filters window, enter the access token attribute name in the Authorization Header field.
You can reference attribute values in the form of
${attributeName:-defaultValue}
. The default value is optional. When specified, it is used at runtime if the attribute value is not available. Do not use${
and}
in the default value.
ExampleAuthorization Headers
Authorization Header entries are shown here for Yahoo and Google Open ID Connect IdP connections:
-
For Yahoo:
Bearer ${idp.https://api.login.yahoo.com.access_token}
-
For Google:
Bearer ${idp.https://accounts.google.com.access_token}